186 lines
6.7 KiB
Bash
Executable File
186 lines
6.7 KiB
Bash
Executable File
#!/bin/bash
|
|
|
|
# Security Investigation Script for Suspicious Device
|
|
# This script will monitor network activity from 192.168.50.81
|
|
|
|
TARGET_IP="192.168.50.81"
|
|
LOG_FILE="security_investigation_$(date +%Y%m%d_%H%M%S).log"
|
|
SUSPICIOUS_DOMAINS_FILE="suspicious_domains.txt"
|
|
|
|
echo "=== Security Investigation for $TARGET_IP ===" | tee $LOG_FILE
|
|
echo "Timestamp: $(date)" | tee -a $LOG_FILE
|
|
echo "WARNING: Device may be compromised!" | tee -a $LOG_FILE
|
|
echo "" | tee -a $LOG_FILE
|
|
|
|
# Create list of suspicious domains to watch for
|
|
cat > $SUSPICIOUS_DOMAINS_FILE << 'EOF'
|
|
# Malware/Phishing domains
|
|
malware
|
|
virus
|
|
trojan
|
|
phishing
|
|
spam
|
|
botnet
|
|
crypto
|
|
mining
|
|
ransomware
|
|
ddos
|
|
exploit
|
|
hack
|
|
crack
|
|
warez
|
|
porn
|
|
adult
|
|
xxx
|
|
sex
|
|
malicious
|
|
suspicious
|
|
EOF
|
|
|
|
# Function to check current network connections
|
|
check_current_connections() {
|
|
echo "1. Checking current network connections from $TARGET_IP..." | tee -a $LOG_FILE
|
|
echo "" | tee -a $LOG_FILE
|
|
|
|
# Check established connections
|
|
echo "Established connections:" | tee -a $LOG_FILE
|
|
ss -tuln | grep $TARGET_IP | tee -a $LOG_FILE
|
|
|
|
# Check routing table for any unusual routes
|
|
echo "" | tee -a $LOG_FILE
|
|
echo "Routing table entries involving $TARGET_IP:" | tee -a $LOG_FILE
|
|
ip route | grep $TARGET_IP | tee -a $LOG_FILE
|
|
|
|
# Check for any iptables rules targeting this IP
|
|
echo "" | tee -a $LOG_FILE
|
|
echo "Firewall rules for $TARGET_IP:" | tee -a $LOG_FILE
|
|
sudo iptables -L -n | grep $TARGET_IP | tee -a $LOG_FILE
|
|
}
|
|
|
|
# Function to monitor network traffic
|
|
monitor_traffic() {
|
|
echo "" | tee -a $LOG_FILE
|
|
echo "2. Monitoring network traffic from $TARGET_IP..." | tee -a $LOG_FILE
|
|
echo "Press Ctrl+C to stop monitoring" | tee -a $LOG_FILE
|
|
echo "" | tee -a $LOG_FILE
|
|
|
|
# Use tcpdump to capture traffic from the suspicious device
|
|
echo "Starting traffic capture (30 seconds)..." | tee -a $LOG_FILE
|
|
timeout 30 sudo tcpdump -i any host $TARGET_IP -n | tee -a $LOG_FILE
|
|
}
|
|
|
|
# Function to check DNS queries
|
|
check_dns_queries() {
|
|
echo "" | tee -a $LOG_FILE
|
|
echo "3. Checking DNS queries..." | tee -a $LOG_FILE
|
|
|
|
# Check systemd-resolved logs for DNS queries
|
|
echo "Recent DNS queries:" | tee -a $LOG_FILE
|
|
journalctl -u systemd-resolved --since "1 hour ago" | grep -i "query\|dns" | tail -20 | tee -a $LOG_FILE
|
|
|
|
# Check for any DNS cache poisoning
|
|
echo "" | tee -a $LOG_FILE
|
|
echo "DNS cache entries:" | tee -a $LOG_FILE
|
|
systemd-resolve --statistics | tee -a $LOG_FILE
|
|
}
|
|
|
|
# Function to check for malware indicators
|
|
check_malware_indicators() {
|
|
echo "" | tee -a $LOG_FILE
|
|
echo "4. Checking for malware indicators..." | tee -a $LOG_FILE
|
|
|
|
# Check for unusual processes
|
|
echo "Checking for unusual processes..." | tee -a $LOG_FILE
|
|
ps aux | grep -E "(crypto|mining|malware|suspicious)" | grep -v grep | tee -a $LOG_FILE
|
|
|
|
# Check for unusual network connections
|
|
echo "" | tee -a $LOG_FILE
|
|
echo "Checking for connections to suspicious ports..." | tee -a $LOG_FILE
|
|
netstat -tuln | grep -E ":(25|1433|3306|5432|27017|6379|8080|8443)" | tee -a $LOG_FILE
|
|
|
|
# Check for unusual files
|
|
echo "" | tee -a $LOG_FILE
|
|
echo "Checking for recently modified suspicious files..." | tee -a $LOG_FILE
|
|
find /tmp /var/tmp -name "*.exe" -o -name "*.bat" -o -name "*.sh" -mtime -1 2>/dev/null | tee -a $LOG_FILE
|
|
}
|
|
|
|
# Function to provide immediate security recommendations
|
|
security_recommendations() {
|
|
echo "" | tee -a $LOG_FILE
|
|
echo "5. IMMEDIATE SECURITY RECOMMENDATIONS:" | tee -a $LOG_FILE
|
|
echo "=========================================" | tee -a $LOG_FILE
|
|
echo "" | tee -a $LOG_FILE
|
|
|
|
echo "🚨 URGENT ACTIONS:" | tee -a $LOG_FILE
|
|
echo "1. DISCONNECT the device from your network immediately" | tee -a $LOG_FILE
|
|
echo "2. Block the device at your router level" | tee -a $LOG_FILE
|
|
echo "3. Factory reset the Amazon device" | tee -a $LOG_FILE
|
|
echo "4. Check all other devices on your network" | tee -a $LOG_FILE
|
|
echo "5. Update your router's firmware" | tee -a $LOG_FILE
|
|
echo "6. Change your WiFi password" | tee -a $LOG_FILE
|
|
echo "7. Enable MAC address filtering on your router" | tee -a $LOG_FILE
|
|
echo "" | tee -a $LOG_FILE
|
|
|
|
echo "🔧 TECHNICAL ACTIONS:" | tee -a $LOG_FILE
|
|
echo "1. Add firewall rule to block $TARGET_IP:" | tee -a $LOG_FILE
|
|
echo " sudo iptables -A INPUT -s $TARGET_IP -j DROP" | tee -a $LOG_FILE
|
|
echo " sudo iptables -A OUTPUT -d $TARGET_IP -j DROP" | tee -a $LOG_FILE
|
|
echo "" | tee -a $LOG_FILE
|
|
echo "2. Monitor your router's logs for suspicious activity" | tee -a $LOG_FILE
|
|
echo "3. Check for unauthorized devices on your network" | tee -a $LOG_FILE
|
|
echo "4. Consider using a separate IoT network" | tee -a $LOG_FILE
|
|
echo "" | tee -a $LOG_FILE
|
|
|
|
echo "📋 LONG-TERM SECURITY:" | tee -a $LOG_FILE
|
|
echo "1. Implement network segmentation" | tee -a $LOG_FILE
|
|
echo "2. Use a firewall with intrusion detection" | tee -a $LOG_FILE
|
|
echo "3. Regularly update all IoT devices" | tee -a $LOG_FILE
|
|
echo "4. Monitor network traffic regularly" | tee -a $LOG_FILE
|
|
echo "5. Consider using a security-focused router" | tee -a $LOG_FILE
|
|
}
|
|
|
|
# Function to create firewall rules
|
|
create_firewall_rules() {
|
|
echo "" | tee -a $LOG_FILE
|
|
echo "6. Creating firewall rules to block $TARGET_IP..." | tee -a $LOG_FILE
|
|
|
|
# Check if we can run sudo
|
|
if sudo -n true 2>/dev/null; then
|
|
echo "Adding iptables rules..." | tee -a $LOG_FILE
|
|
sudo iptables -A INPUT -s $TARGET_IP -j DROP
|
|
sudo iptables -A OUTPUT -d $TARGET_IP -j DROP
|
|
echo "Firewall rules added successfully" | tee -a $LOG_FILE
|
|
|
|
# Save iptables rules
|
|
if command -v iptables-save > /dev/null 2>&1; then
|
|
sudo iptables-save > /tmp/iptables_backup_$(date +%Y%m%d_%H%M%S).rules
|
|
echo "Iptables rules backed up" | tee -a $LOG_FILE
|
|
fi
|
|
else
|
|
echo "Cannot run sudo. Please manually add firewall rules:" | tee -a $LOG_FILE
|
|
echo "sudo iptables -A INPUT -s $TARGET_IP -j DROP" | tee -a $LOG_FILE
|
|
echo "sudo iptables -A OUTPUT -d $TARGET_IP -j DROP" | tee -a $LOG_FILE
|
|
fi
|
|
}
|
|
|
|
# Main execution
|
|
main() {
|
|
echo "🚨 SECURITY ALERT: Device $TARGET_IP may be compromised!" | tee -a $LOG_FILE
|
|
echo "Starting security investigation..." | tee -a $LOG_FILE
|
|
|
|
check_current_connections
|
|
check_dns_queries
|
|
check_malware_indicators
|
|
create_firewall_rules
|
|
security_recommendations
|
|
|
|
echo "" | tee -a $LOG_FILE
|
|
echo "=== Investigation Complete ===" | tee -a $LOG_FILE
|
|
echo "Full security report saved to: $LOG_FILE" | tee -a $LOG_FILE
|
|
echo "" | tee -a $LOG_FILE
|
|
echo "⚠️ IMMEDIATE ACTION REQUIRED: Disconnect the device!" | tee -a $LOG_FILE
|
|
}
|
|
|
|
# Run the main function
|
|
main
|